SFT Keyring

If you enable the SFT keyring, all plaintext tokens in the state.json file will be encrypted. Once the SFT keyring is established on a system, it is automatically updated when the user logs in to Okta Privileged Access or attempts to access a server.

After the SFT keyring is activated, it can't be reversed. Okta Privileged Access employs the compat keyring for all operating systems, which doesn't offer encryption. To revert to the default compat keyring, users need to re-enroll and relogin.

Before you begin

  • SFT keyring encrypts access tokens. If the keys used to decrypt the tokens are unavailable, decryption is impossible. This prevents unauthorized data exfiltration.
  • SFT keyring on Linux uses D-Bus to connect to a desktop-specific SecretService and proactively secures access tokens. If sft can't reach an unlocked SecretService, it will not be able to decrypt those tokens. This may result in being locked out of your tokens while in non-desktop mode if you use Linux on both desktop and non-desktop. To avoid this, you can use the insecure compact keyring by setting SFT_KEYRING to compat in your shell initialization scripts and then re-enrol.

Setting up the Keyring

SFT keyring must be configured on every device. The operating system comes with a default keyring, and it determines the most suitable one to use. By using the system variable in the configuration, the operating system automatically selects the optimal keyring for use.


SFT keyring encrypts by default on macOS. You can set the keyring using the User Defaults framework:

$ defaults write com.scaleft.ScaleFT SFTKeyring system

Alternatively, you can enable it by setting an environment variable:

export SFT_KEYRING=system

If both are set, the environment variable takes precedence.

To disable encryption, use compat instead of system in the environment variable, and then re-enroll in the team.


SFT keyring encrypts by default on Windows. You can set the keyring using the registry:




Alternatively, you can set the keyring using the SFT_KEYRING environment variable.

HKEY_LOCAL_MACHINE takes precedence over both the environment variable and CURRENT_USER entry. The environment variable takes precedence over the CURRENT_USER entry.

To disable encryption, set the registry key to compat instead of system, and then re-enroll in the team.

FreeBSD / Linux

In FreeBSD and Linux, keyrings only work in a D-Bus desktop environment. In Linux, the default encryption method is system, while in FreeBSD, it's compat.

To set or update the SFT_KEYRING environment variable to either compat or system, add the following to the shell profile:

export SFT_KEYRING=system


export SFT_KEYRING=compat

Related topics

Use the Advanced Server Access client

Install the Advanced Server Access client

Manage the Advanced Server Access server agent